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fsuM* 



\ £k Researcher for the Netherlands Forensics Institute (NFI) 



4^ 

Microsoft* 

Most Valuable 
Professional 



Microsoft Enterprise Security MVP 

Speaker at various security events, such as PacSec, 
BlackHat USA, Europol High Tech Crime Meeting, 
Shakacon, etc. 



Past work: 

• SandMan Framework (Windows hibernation file) 

• Win32/64dd (Windows memory acquisition utility). 
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Forensics Experts 
Investigators 

Incident Response Engineers 
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Pros: 

1 . Sometimes non-volatile memory is not enough, 
then we need volatile memory (Physical Memory) 



Cons : 

1 . Very complex. 

2. Lack of research. 
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Target 




Core 

'5 %■ 



Intel Processor (x86/x64) 



Mac OS X Leopard 10.5 



Mac OS X Snow Leopard 
10.6 



Software-based acquisition 



/dev/mem 

Cons: Disabled by default. 

Pros: We can write our own 
driver. 

Hibernation a.k.a. "safe sleep" 

Pros: Present on all modern O.S. 

Cons: Compressed, and can be 
encrypted if secure virtual 
memory mechanism is used. 

(hibernatemode == 5) 
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Goal: To avoid random string searching 
To be precise and efficient. 
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Analysis 



Get kernel symbols. 



Initialize kernel memory 
manager. 



Browse kernel virtual 
address space. 



Collect information. 

V 
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Windows compiler stores symbols in externals files called 
*.PDB 



Mac OS X compiler stores symbols inside a section which 
is part of the executable. 



Mac OS X kernel executable (mach_kernel) as symbol 
database. 
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Why? 

KLD, LINKEDIT, PRELINK and symtab kernel 

sections are destroyed as soon as the kernel (mach_kernel) 

loaded by removeKernelLinker ( ) function. 

What? 

linkedit section contains variable names and offsets. 
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Quick Kernel Virtual To Physical Address Formula is: 



Operating System 


Quick translation Formula 


i386 Linux 


KPA = KVA - OxCOOOOOOO 


Playstation 3 Linux 


KPA = KVA - OxCOOOOOOOOOOOOOOO 


Windows 


KPA = KVA & 0x1 FFFF000 



Mac OS X KPA = KVA 



Now we can read variables from the symbol section in the physical 
memory. 
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Works only for the mapped executable kernel ( text and data 

sections) 

Does not work for allocated buffers. 



.data interesting exported variables: 
Memory manager variables 
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Super interesting variables 

_IdlePDPT 
_IdlePDPT64 
_IdlePML4 
IdlePTD 



Page Map Level 4 is initialized on x86 version 
even if x86 only use PAE. 
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Page Map Level 4 paging method. 
Supports 48-bits linear/virtual addresses 



Intel® 64 and IA-32 Architectures Software Developer's Manual 
Volume 3 A: System Programming Guide 

4.5 IA-32E Paging 
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PML4 



Linear/Virtual Address 



PML4 Directory Ptr Directory Table Offset 



PDPTE 




PDE with PS=0 




PTE 



>' PML4E 



Phys. Addr. 



ldlePML4 
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Now, we can browse the kernel virtual address space. 
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version variable contains a string with kernel version and 
compilation time 



machine info variable / structure contains: 



Field Name 


Description 


major_version 


Major OS Version 


minor_version 


Minor OS Version 


maxjmem 


Physical Memory size 


physical_cpu 


Number of physical CPU 


logical_cpu 


Number of logical CPU 
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Machine Information 



Darwin Kernel Version 9,0,6 


Tue 


Get ? 21:35:55 P5I 2007; ryot :xnu-1228"l /RELEASE. 1 386 


Major UBPsicn: 


'i 




PUnov uersiGn: 


H 




Hax nunber of CPUs : 


4 




Size of physical nenory- 


in; 


>4 MB 


Nunber of physical CFlk; 







Number of logical CPU^ : 


i 
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Link-list called mountlist, defined by mount structure 



Field Name 


Description 


Mstypename 


File system type 


f_mntonname 


Mounted directory 


f_mntfromname 


Mounted file system 



Mounted File System 



idtt 


type 


mounted on 





hfs 


/ 


1 


deuf s 


/deu 


2 


f desc 


/deu 


3 


a ut of s 


/net 


4 


autof s 


/hone 


5 


hfs 


/Uolumes/UMware Tools 


6 


hfs 


/Uolumes/OSJiBAK 


7 


msdos 


/Uo lumes /FAT BACK 



mounted from 

nf o 
deuf s 
f desc 

map -hosts 
map auto_home 
Tie 

/deu/disk2sl 
Zdeu/disk2s2 
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I kmod variable is the list-head of every loaded 
kernel extensions defined by kmod structure. 



Field Name 


Description 


address 


Base Address 


size 


Total Size 


hdr_size 


Header Size 


name 


Extension Name 


version 


Version 


next 


Pointer to the next entry 
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43 0x20flflfl000 0X0000C000 0X0000B000 com . apple . driuer . AppleUSBHub <3.4.0> 

42 0x20A3F000 0x00002000 0x00001000 com . apple . iokit . I OUSBUserClient (3.3.1) 

41 0x209DE000 0x00012000 0x00011000 com . apple . driuer . fippleUSBEHCI (3.4.3) 

40 0x20935000 0X0000E000 0X0000D000 com . apple . driuer . AppleUSBUHCI (3.3.5) 

39 8 0x2085B000 0x00029000 0x00028000 com. apple . iokit . IOUSBFamily (3.4.3) 

38 0x2076E000 0x00013000 0x00012000 com . apple . driuer . Apple LS I Fus ionMPT (2.0.3) 

37 1 0x20737000 0x00008000 0x00007000 com. apple. iokit. IOSCS I Para lie lFamily (1.5.2) 

36 6 0x20 10000 0x00019000 0x00018000 com . apple . iokit . I OSCS I ArchitectureMode lFamily (2.0.9) 

35 0x20G4C000 0x00009000 0x00008000 com . apple . driuer . Apple I nte 1PI I X AT A <2.0.0> 

34 2 0x20633000 0X0000D000 0X0000C000 com. apple . iokit . I OAT A Family (2.0.1) 

33 0x2058B000 0x00004000 0x00003000 com . apple . driuer . AppleACFI Buttons <1.2.4> 

31 9 0x2047D000 0x00018000 0x00017000 com. apple. iokit. I OS to rage Family (1.5.6) 

30 0x20359000 0x00005000 0x00004000 com . apple . driuer . AppleBTC (1.2.3) 

29 0x20317000 0x00003000 0x00002000 com . apple . driuer . AppleACFI PCI (1.2.4) 

28 0x2 01 B8 006 0x00004000 0x00003000 com . apple . driuer . AppleSMBI OS (1.4) 

27 0xlAFF7000 0x00003000 0x00002000 com . apple . driuer . AppleAFI C (1.4) 

26 0xlAFD1000 0x00018000 0x00017000 com . apple . security . seatbe It (107.12) 

25 0x1 A F9 1000 0x00008000 0x00007000 com . apple . nke . applicat ionf ireuall (1.6.77) 

24 0xlAF77000 0x00003000 0x00002000 com . apple . security . TMSafetyNet (3) 

23 0xlAF2A000 0X0001F000 0X0001E000 com. apple .driuer .Apple I ntelCPUPouerMan age ment (76.0.0) 
22 2 0x1 A E8 7000 0x00039000 0x00038000 com.apple.iokit.IOHIDFamily (1.5.5) 
21 0xlADC3000 0x00005000 0x00004000 com . apple . Boot Cache (30.4) 

20 0x1 ADS 1000 0x00002000 0x00001000 com . yourcompany . driuer . Nu 1 lCPUFo lie rMan age ment (1.0. 0dl) 

19 2 0xlADlB000 0X0003E000 0X0003D000 com. apple. driuer. AppleACFI Platform (1.2.4) 

18 8 0xlACCC000 0x00004000 0x00003000 com . apple . iokit . I OACPI Family (1.2.0) 

17 12 0x1 A CBS 000 0x00011000 0x00010000 com . apple . iokit . I OPCI Family (2.6) 

16 1 0x00000000 0x00000000 0x00000000 com . apple . kerne 1 . mach (7.9.9) 

15 1 0x00000000 0x00000000 0x00000000 com . apple . kerne 1 . libkern (7.9.9) 

14 1 0x00000000 0x00000000 0x00000000 com . apple . kerne 1 . iokit (7.9.9) 

13 1 0x00000000 0x00000000 0x00000000 com . apple . kerne 1 . bsd (7.9.9) 

12 12 0x00000000 0x00000000 0x00000000 com . apple . kerne 1 . 6 . (7.9.9) 

11 1 0x00000000 0x00000000 0x00000000 com . apple . iokit . ApplePlatf ormFamily (9.7.0) 

10 1 0x00000000 0x00000000 0x00000000 com . apple . iokit . I OS ys t e mMan age me nt Family (9.7.0) 

9 1 0x00000000 0x00000000 0x00000000 com . apple . driuer . AppleNMI (9.7.0) 

8 1 0x00000000 0x00000000 0x00000000 com . apple . iokit . I ONUBAMFamily (9.7.0) 

7 29 0x00000000 0x00000000 0x00000000 com . apple . kpi . unsupported (9.7.0) 

6 44 0x00000000 0x00000000 0x00000000 com . apple . kpi . mach (9.7.0) 

5 51 0x00000000 0x00000000 0x00000000 com . apple . kpi . libkern (9.7.0) 

4 48 0x00000000 0x00000000 0x00000000 com . apple . kpi . iokit (9.7.0) 

3 3 0x00000000 0x00000000 0x00000000 com . apple . kpi . dsep (9.7.0) 

2 31 0x00000000 0x00000000 0x00000000 com . apple . kpi . bsd (9.7.0) 

1 1 0x00000000 0x00000000 0x00000000 com . apple . kerne 1 (9.7.0) 
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- 

j kemproc variable is list-head of every BSD processes 
defined by proc structure. 

; Contains PID, Parent PID, open files (file descriptors), 
children, threads, name and a pointer (p_pgrp field) to 
process group (pgrp structure). 

- 

* 
- 

! pgrp structure contains a pointer to session structure 

(pg session field). 

— 

* 

\ session structure contains username (s_iogin field) 
who launched the process. 
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• Syscall address is not exported 
Leopard 

As explained by Jesse D'Aguanno at BH US 2008 

&sysent = &nsysent + 0x2 



Snow Leopard 

&sysent = &nsysent - ( (nsysent) * sizeof (sysent) ) 
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If an offset from a syscall entry is not in kernel symbols, 

Then, this is not normal © 
Easy & Fast 



table 



0x0039071^ 

9x003 7GF34 
0X0R378B4A 
0X00390COE 
0x0039 134C 
0x0HlH42i,C 
0X003GC75E 
0X0R375EB2 
0x0R39fl7F5 
0X001E4932 
0x001Ebb4H 
0X003907F5 
0X001E392E 
0X001E3723 
9x30 1E43 E8 
0X0H1E6FD1 
0X001E74B7 
0X0037AE2D 
0x0fi*E335E 
0X003907F5 
axaaavDEja 

0X0039B7F5 
0X003907F5 
0X0B37E92E 
0X0037DF0D 
0X0037DF21 
0X003SCS23 
0x0R3BBrt4E 
0X0R3K1701 

0X003B07DS 

axae3fipE?3 

0X003B0EC4 
0X003B0CBA 
0xflR1 ESD2D 
0X001E6BD7 

axawiEbCttB 

0X001E22B5 
0X00383GB2 
0x003907 FS 
0X0037DE42 
0x00390VFb 
0X0036E487 
0x00394912 
0X0R37DFC7 
0x0038 FBA6 
0X003907F5 
0X00382B75 
0X0037DFD3 
0X0R3S29F2 
0X0037E544 
0X0037E5ES 
0X003582A7 
0x00381125 
0X0R381E39 
0x0039 160C 
0X0038C732 
0X001E9F24 
0X001E4EB9 
0X0R1EG923 



nos ys 
_&xie 

f ai-V. 
_j"ead 
_wi*ite 
_open 

_<: 

_tHtlt 4 
_nosys 
_link 
_un link 
_nosys 
_c hd i i' 
^Fclidiv 
_roknod 
_c hnod 
_fthown 
jbreak 
_getf sstat 

_getpid 

_nosys 

_nos ys 

_setuid 

^getuid 

_geteuid 

_ptrace 

c v n s g 
_sendnsg 
_recuf rom 
_accept 
_getpeen*nflme 
_jf l l tsDcknami: 
_access 
_chflags 
_f clif lags 
_sync 
_kill 

nosys 
_getppid 
_nos ys 
_dup 
-Pipe 
_getejfid 
_ppof il 
_nosys 
_s iyaction 
_gstgid 

_get login 
_set login 
_acct 

_S impending 

s iga It stack 
_ioctl 
re hoot 

_3 yn link 
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QUESTIONS ? 



